Anti-Malware can’t save

you in 2015

Sami Laiho – Senior Technical Fellow, MVP

Sovelto / Adminize.com

WHOAMI /ALL

• http://www.samilaiho.com/

• MVP - Windows ITPro

• SpringBoard Technical Expert Panel member

• Senior Technical Fellow @ Sovelto

• Senior Technical Fellow @ adminize.com

• Twitter: @samilaiho

• Free newsletter:

• http://eepurl.com/F-GOj

Sami Laiho

English:

• ”The Spruce in on fire”

• ”The spruce returns”

• ”The number six is on fire”

• ”The number six returns”

• ”Six of them are on fire”

• ”Six of them return”

• ”Your moon is on fire”

• ”Your moon returns”

• ”Six pieces”

Let’s learn some Finnish!

Finnish: • ”Kuusi palaa” • ”Kuusi palaa” • ”Kuusi palaa” • ”Kuusi palaa” • ”Kuusi palaa” • ”Kuusi palaa” • ”Kuusi palaa” • ”Kuusi palaa” • ”Kuusi palaa”

• www.wioski.com – Free replacement for SteadyState

• www.adminize.com – Getting rid of admin rights and provide onetime

admin passwords

– You never have to worry about changing local admin passwords again!

• blog.win-fu.com

• http://win-fu.com/ – My video based training site OPENING in

August Finally!

Projects

• Hotel in Oslo just before TechEd Europe 2014 – Me: ”A colleague of yours asked me to get a new key

because mine didn’t work”

– She: ”I’ll make you a new one”

– Me: ”This wooden key doesn’t seem to work still. Your colleague used a plastic key so maybe it’s because of the thicker material that it works. You think you could make a key like that?”

– She: ”I have to go check this in the backroom – just a second”

– She: ”Here’s a key for you but you can’t tell anyone you got it because it’s a master key that can open any door in the hotel”

Training your staff

• CEO of the company has gotten an offer from a man in UK to transfer 30M€ to him to fund the project

• The money is from Regina Chiluba, widow of former Zambian president Fredrick Chiluba

• CEO sends 336000€ to fund the transaction of the money

• His transaction is frozen as a security measure

• He gets the money back and…

• Sends it again…

Finnish 150M€ Car shopping

center

• Symantec, F-Secure and almost

every other AM-company has said

that their reactive solutions aren’t

adequate to protect PC’s in the future

• We need to change the focus from

reactive to proactive

The world is changing

• Anti-malware, network inspection service (NIS),

software blacklisting…

• Always trying to catch up – “always” late!

• Needed on top of proactive measures – ‘just in

case’

Reactive solutions

• Correct permission levels, whitelisting, firewalls,

IPSec…

• Keeps your computer clean and efficient

• Doesn’t rely on updates / fingerprints found by

others

• More important than reactive measures

Proactive solutions

• “Only 25% have admin rights”

• “Only our laptop users have admin rights”

• “We don’t use firewalls on the internal network”

• “Executives get admin rights”

• “We tried whitelisting but gave up”

• “MAC and Linux are good ‘cause they don’t need antivirus”

Notes from the field

• Encryption - BitLocker

• Limited user rights

• Different levels of Admin accounts

• UAC

• Host based firewalls

• IPSec

• AppLocker whitelisting or Device Guard

Proactive security in Windows

• Doesn’t have an Anti-Malware

enabled

• Has all firewall ports open

My Laptop currently

I travel on airports for 200 days a

year… Am I scared?

• Instead of reactive protection I have – AppLocker Whitelisting – All software needs to

be preapproved by me

– I use IPSec – No one can talk to me without a certificate

– No admin rights – I can’t disable my own protections

– BitLocker – I’m protected against physical theft of data or someone breaking into my laptops OS

– Current OS that’s up to date

– Correct hardware – No DMA ports/interfaces!

Absolutely NOT!

• Applications readily available to

– Crack passwords

– Steal BitLocker keys

DMA-attacks

• Why encryption?

• Why UAC?

• Why no admin rights?

• Why many levels of user accounts for

Domain Admins?

• Why UAC is not enough?

A few demonstrations

DEMO: Why encryption?

• BitLocker becomes mandatory

• Join my other session today!

How to prevent it?

It’s the last day of Techdays so time to give back!!

100 quickest to download this slide deck and click on the picture below will get a free Surface 3 Pro!!

• UAC is really, Yes I mean Really,

Good for you

How to prevent it?

DEMO: Why no admin rights for

end users?

• If you really need to secure Group

Policy settings change the refresh

settings

• Don’t give users Admin rights!

How to prevent it?

DEMO: Too few levels of admins

• At least three user accounts for

Domain Admins

How to prevent it?

DEMO: Why UAC is not enough?

DEMO: BadMouse aka BadUSB!

• Always use limited user accounts for daily use – Not just UAC!

• Use only tamper proof devices that are known to use signed firmware and that can’t be flashed

• Teach people about it

• More info: – http://www.zdnet.com/badusb-big-bad-usb-security-

problems-ahead-7000032211/

– https://www.youtube.com/watch?v=nuruzFqMgIw

– https://github.com/adamcaudill/Psychson

– https://www.youtube.com/watch?v=xcsxeJz3blI

How to prevent it?

• Join my other session today!

• More demos and more on how to solve these issues!

• Join my trainings in the Netherlands:

– http://www.pds-site.com/nl/sysadmin-trainingen/blackbelt-troubleshooting-the-windows-os-pdcbbtwo

Want to know more and how to

implement?

Your feedback is important!

Scan the QR Code and let us know via the TechDays App.

Laat ons weten wat u van de sessie vindt via de TechDays App!

Scan de QR Code.

Bent u al lid van de Microsoft Virtual Academy?! Op MVA kunt u altijd iets nieuws leren over de laatste technologie van Microsoft. Meld u vandaag aan op de MVA Stand. MVA biedt 7/24 gratis online training on-demand voor IT-Professionals en Ontwikkelaars.